Novell Access Manager 3.0 SP4 Installation guide

Novell®

www.novell.com

novdocx (en) 11 July 2008

AUTHORIZED DOCUMENTATION

Novell Access Manager 3.0 SP4 Setup Guide

Access Manager

3.0 SP4 IR2

January 30, 2009

Setup Guide

novdocx (en) 11 July 2008

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and

specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.

Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,

without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims

any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,

reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to

notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the

trade laws of other countries. You agree to comply with all export control regulations and to obtain any required

licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities

on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export

laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.

See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information

on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export

approvals.

stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this

document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.

patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or

more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc.

404 Wyman Street, Suite 500

Waltham, MA 02451

U.S.A.

www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

novdocx (en) 11 July 2008

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 11 July 2008

Contents 5

Contents

novdocx (en) 11 July 2008

About This Guide 9

1 Setting Up a Basic Access Manager Configuration 11

1.1 Understanding an Access Manager Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2 Prerequisites for Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.3 Creating a Basic Identity Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.4 Configuring the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.4.1 Configuring a Reverse Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.4.2 Configuring a Public Protected Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.5 Configuring the Access Gateway for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1.5.1 Verifying Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1.5.2 Enabling Trusted Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

1.6 Setting Up an Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2 Configuring SSL VPN to Protect an Application 29

2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2.2 Injecting the SSL VPN Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3 Enabling SSL Communication 33

3.1 Identifying the SSL Communication Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.2 Using Access Manager Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.2.1 Configuring Secure Communication on the Identity Server. . . . . . . . . . . . . . . . . . . . 34

3.2.2 Configuring the Access Gateway for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.3 Using Externally Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.3.1 Obtaining Externally Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.3.2 Configuring the Identity Server to Use an Externally Signed Certificate . . . . . . . . . . 44

3.3.3 Configuring the Access Gateway to Use an Externally Signed Certificate . . . . . . . . 45

4 Clustering and Fault Tolerance 47

4.1 Installing Secondary Versions of the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . 47

4.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

4.1.2 Installing a Second Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.1.3 Understanding How the Consoles Interact with Each Other and Access Manager

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.2 Clustering Identity Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.2.1 Services of the Real Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.2.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.2.3 Setting Up a Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.3 Clustering Access Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.3.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.3.2 Configuring a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.4 Configuration Tips for the L4 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.4.1 Sticky Bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.4.2 Network Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4.4.3 Health Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4.4.4 Real Server Settings Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6 Novell Access Manager 3.0 SP4 Setup Guide

novdocx (en) 11 July 2008

4.4.5 Virtual Server Settings Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

5 Setting Up Firewalls 65

5.1 Required Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5.2 Sample Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

5.2.1 The Access Gateway and Identity Server in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . 73

5.2.2 A Firewall Separating Access Manager Components from the LDAP Servers . . . . . 74

5.2.3 Configuring the Firewall for the SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

5.2.4 Configuring the Firewall for the J2EE Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

6 Setting Up Federation 79

6.1 Understanding a Simple Federation Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

6.2 Configuring Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

6.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6.2.2 Establishing Trust between Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6.2.3 Configuring SAML 1.1 for Account Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

6.3 Sharing Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

6.3.1 Configuring Role Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

6.3.2 Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

6.4 Setting Up Federation with Third-Party Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

7 Digital Airlines Example 99

7.1 Installation Overview and Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

7.1.1 Installation Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

7.1.2 Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7.2 Setting Up the Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

7.2.1 Installing the Apache Web Server and PHP Components. . . . . . . . . . . . . . . . . . . . 102

7.2.2 Installing Digital Airlines Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

7.2.3 Configuring Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

7.3 Configuring Public Access to Digital Airlines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

7.4 Implementing Access Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

7.4.1 Enabling an Authentication Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

7.4.2 Configuring a Role-Based Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

7.4.3 Assigning an Authorization Policy to Protect a Resource . . . . . . . . . . . . . . . . . . . . 119

7.4.4 Configuring an Identity Injection Policy for Basic Authentication . . . . . . . . . . . . . . . 123

7.4.5 Initiating an SSL VPN Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

7.5 Modifying the Digital Airlines Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

7.5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

7.5.2 Understanding the Example Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

7.5.3 Updating Static Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

7.5.4 Updating Mouse-Over Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

7.5.5 Deploying Your Updated Example Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

8 Creating Novell Audit Queries 139

8.1 Setting Up the MySQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.1.2 Preparing MySQL for Novell Audit Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.1.3 Installing the JDBC Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

8.2 Logging Events to the MySQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

8.2.1 Creating the MySQL Log Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

8.2.2 Configuring the Audit Server to Log Events to the MySQL Log Channel . . . . . . . . 142

8.2.3 Configuring Access Manager Components to Log Audit Events . . . . . . . . . . . . . . . 145

Contents 7

novdocx (en) 11 July 2008

8.3 Configuring Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

8.3.1 Enabling Queries to the MySQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

8.3.2 Configuring the Query Event List and Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

8.3.3 Performing a Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9 Protecting an Identity Server with an Access Gateway 149

8 Novell Access Manager 3.0 SP4 Setup Guide

novdocx (en) 11 July 2008

About This Guide 9

novdocx (en) 11 July 2008

About This Guide

This guide is intended to help you understand and set up a basic Access Manager 3.0 SP1

configuration.

IMPORTANT: In order to avoid configuration errors, it is strongly recommended that you closely

follow the steps outlined in this document during your initial Access Manager setup.

 Chapter 1, “Setting Up a Basic Access Manager Configuration,” on page 11

 Chapter 2, “Configuring SSL VPN to Protect an Application,” on page 29

 Chapter 3, “Enabling SSL Communication,” on page 33

 Chapter 4, “Clustering and Fault Tolerance,” on page 47

 Chapter 5, “Setting Up Firewalls,” on page 65

 Chapter 6, “Setting Up Federation,” on page 79

 Chapter 7, “Digital Airlines Example,” on page 99

 Chapter 8, “Creating Novell Audit Queries,” on page 139

 Chapter 9, “Protecting an Identity Server with an Access Gateway,” on page 149

Not all Access Manager functionality and administrative tasks are discussed here. After you are

familiar with Access Manager and the steps in this section, you can use the Novell Access Manager

3.0 SP4 Administration Guide as the source for additional or advance configuration.

Audience

This guide is intended for Access Manager administrators. It is assumed that you have knowledge of

evolving Internet protocols, such as:

 Extensible Markup Language (XML)

 Simple Object Access Protocol (SOAP)

 Security Assertion Markup Language (SAML)

 Public Key Infrastructure (PKI) digital signature concepts and Internet security

 Secure Socket Layer/Transport Layer Security (SSL/TSL)

 Hypertext Transfer Protocol (HTTP and HTTPS)

 Uniform Resource Identifiers (URIs)

 Domain Name System (DNS)

 Web Services Description Language (WSDL)

Feedback

We want to hear your comments and suggestions about this manual and the other documentation

included with this product. Please use the User Comments feature at the bottom of each page of the

online documentation, or go to www.novell.com/documentation/feedback.html and enter your

comments there.

10 Novell Access Manager 3.0 SP4 Setup Guide

novdocx (en) 11 July 2008

Documentation Updates

For the most recent version of the Access Manager Setup Guide, visit the Novell Access Manager

Documentation Web site (http://www.novell.com/documentation/novellaccessmanager).

Additional Documentation

 Novell Access Manager 3.0 SP4 Administration Guide

 Novell Access Manager 3.0 SP4 Installation Guide

 Novell Access Manager 3.0 SP4 Agent Guide

Documentation Conventions

In Novell

®

documentation, a greater-than symbol (>) is used to separate actions within a step and

items in a cross-reference path.

A trademark symbol (

®

,

TM

, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

When a single pathname can be written with a backslash for some platforms or a forward slash for

other platforms, the pathname is presented with a backslash. Users of platforms that require a

forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.

Setting Up a Basic Access Manager Configuration

1

11

novdocx (en) 11 July 2008

1

Setting Up a Basic Access

Manager Configuration

The initial setup for Novell

®

Access Manager consists of installing the components and setting up

the Identity Server and the Access Gateway to protect resources running on an HTTP Web server.

Access Manager can also be configured to protect other resources such as applications on J2EE*

servers and non-HTTP applications. These should be set up after you have created a basic setup. For

J2EE server applications, see the Novell Access Manager 3.0 SP4 Agent Guide. For non-HTTP

applications, see Chapter 2, “Configuring SSL VPN to Protect an Application,” on page 29.

This tutorial describes the following topics and tasks:

 Section 1.1, “Understanding an Access Manager Configuration,” on page 11

 Section 1.2, “Prerequisites for Setup,” on page 12

 Section 1.3, “Creating a Basic Identity Server Configuration,” on page 13

 Section 1.4, “Configuring the Access Gateway,” on page 18

 Section 1.5, “Configuring the Access Gateway for Authentication,” on page 22

 Section 1.6, “Setting Up an Identity Injection Policy,” on page 26

1.1 Understanding an Access Manager

Configuration

The following figure illustrates the components and process flow that make up a basic configuration.

Figure 1-1 Basic Process Flow

1. The user requests the Access Gateway for access to a protected resource.

2. The Access Gateway redirects the user to the Identity Server, which prompts the user for a

username and password.

Browser

LDAP DirectoryIdentity Server

Access Gateway Web Server

(with basic authentication)

Web Page

5

6

7

1

4

3

2

4

Identity Injection

12 Novell Access Manager 3.0 SP4 Setup Guide

novdocx (en) 11 July 2008

3. The Identity Server verifies the username and password against an LDAP directory user store

(eDirectory

TM

, Active Directory*, or Sun ONE*).

4. The Identity Server returns an authentication artifact to the Access Gateway.

5. The Access Gateway retrieves the user’s credentials from the Identity Server.

6. The Access Gateway injects the basic authentication information into the HTTP header.

7. The Web server validates the authentication information and returns the requested Web page.

You configure the Access Manager so that a user can access a resource on a Web server whose name

and address are hidden from the user. This basic configuration sets up communication between the

following four servers.

Figure 1-2 Basic Access Manager Configuration

Although other configurations are possible, this section explains the configuration tasks for this

basic Access Manager configuration. This section explains how to set up communication using

HTTP. For HTTPS over SSL, see Chapter 3, “Enabling SSL Communication,” on page 33.

1.2 Prerequisites for Setup

The following prerequisites are for setting up a basic Access Manager configuration:

 An installed Access Manager version of iManager, called the Access Manager Administration

Console. See “Installing the Access Manager Administration Console” in the Novell Access

Manager 3.0 SP4 Installation Guide.

 An installed Identity Server. See “Installing the Novell Identity Server” in the Novell Access

Manager 3.0 SP4 Installation Guide.

 An installed Access Gateway (either NetWare

®

or Linux). See “Installing the Linux Access

Gateway” or “Installing the NetWare Access Gateway” in the Novell Access Manager 3.0 SP4

Installation Guide.

 An LDAP directory store with a test user added. This store can be eDirectory, Active Directory,

or Sun ONE.

Server 3

LDAP Directory

Server 1

Identity Server

Server 2

Access Gateway

Server 4

Web Server

IP Address:

10.10.167.53:80

IP Address:

10.15.70.21

Public DNS Name:

www.mytest.com

DNS Name:

mywebserver.com

Setting Up a Basic Access Manager Configuration 13

novdocx (en) 11 July 2008

 A DNS server or modified host files to resolve DNS names and provide reverse lookups. For

information on which host files need to be modified, see Section 7.2.3, “Configuring Name

Resolution,” on page 104.

 A Web server (IIS or Apache). The Web server should have three directories with three HTML

pages. The first directory (public) should contain a page (such as index.html) for public

access. This page needs to provide two links:

 A link to a page in the protected directory. You will configure the Access Gateway to

require authentication before allowing access to this page. You do not need to configure

the Web server to protect this page.

 A link to a page in the basic directory. You should already have configured your Web

server to require basic authentication before allowing access to this page. See your Web

Server documentation for instructions on setting up basic authentication. (This type of

access is optional, but explained because it is fairly common.)

If you do not have a Web server that you can use for this type of access, you might prefer to

configure Access Manager for the sample Web pages we provide. See Chapter 7, “Digital

Airlines Example,” on page 99.

 A client workstation with a browser.

 Browser pop-ups enabled for the browser on the client workstation.

1.3 Creating a Basic Identity Server

Configuration

After you log in to the Administration Console, click Access Manager > Identity Servers. The

system displays the installed server, as shown in the following example:

At this point the Identity Server is in an unconfigured state and is halted. It remains in this state and

cannot function until you create an Identity Server configuration, which defines how an Identity

Server or Identity Server cluster operates.

NOTE: Before the Identity Server is configured, “Complete” might not display under the

Command Status until Tomcat is restarted.

When creating the Identity Server configuration, you specify the following information:

 The DNS name for the Identity Server.

 The IP address of an LDAP directory (user store). The LDAP directory is used to authenticate

users. The trusted root certificate of the user store is imported to provide secure communication

between the Identity Server and the user store.

 The distinguished name and password of the administrator of the LDAP user store.

14 Novell Access Manager 3.0 SP4 Setup Guide

novdocx (en) 11 July 2008

NOTE: This task is a basic setup to help you become familiar with Access Manager. It discusses

only the required fields for creating a configuration. For information about all of the fields in the

interface, see “Creating a Cluster Configuration” in the Novell Access Manager 3.0 SP4

Administration Guide.

To create an Identity Server configuration:

1 On a client workstation, enable browser pop-ups, then log in to the Administration Console.

For login information, see “Logging In to the Administration Console” in the Novell Access

Manager 3.0 SP4 Installation Guide.

2 In the Administration Console, click Access Manager > Identity Servers > Servers.

3 Select the check box by the Identity Server, then click New Cluster.

Selecting the server is one way to assign it to the cluster configuration.

4 In the New Cluster dialog box, specify a name for the cluster configuration.

If you did not select the server in the previous step, you can now select the server or servers that

you want to assign to this configuration. For more information about assigning servers to a

configuration, see “Assigning an Identity Server to a Cluster Configuration” in the Novell

Access Manager 3.0 SP4 Administration Guide.

5 Click OK.

The following example shows a new server configuration called idp-corporate:

6 Fill in the following fields to specify the properties for your Identity Server configuration:

Setting Up a Basic Access Manager Configuration 15

novdocx (en) 11 July 2008

Name: The name by which you want to refer to the Identity Server configuration. This field is

populated with the name you provided in the New Cluster dialog box. You can change this

here, if necessary.

Base URL: The application path for the Identity Server. The Identity Server protocols (Liberty

1.2, SAML 1.1, and SAML 2.0) rely on this base URL to generate URL endpoints for each

protocol.

 Protocol: The communication protocol. Select HTTP for a basic setup.

 Domain: The domain name used to access the Identity Server. For a basic setup, this is the

DNS name of the machine on which you installed the Identity Server. Using an IP address

is not recommended.

 Port: The port values for the protocol. For HTTP, this is 8080.

 Application: The Identity Server application path. Leave the default value as nidp.

7 Click Next.

The system displays the Organization page.

Use this page to specify organization information for the Identity Server configuration. The

information you specify on this page is published in the metadata of the Liberty 1.2 and SAML

protocols. The metadata is traded with federation partners and supplies various information

regarding contact and organization information located at the Identity Server.

The following fields require information:

 Name: The name of the organization.

 Display Name: The display name for the organization. This can be the same as the name

of the organization.

 URL: The organization’s URL for contact purposes.

Optional fields include Company, First Name, Last Name, Email, Telephone, and Contact

Type.

8 Click Next.

The system displays the User Store page.

16 Novell Access Manager 3.0 SP4 Setup Guide

novdocx (en) 11 July 2008

Use this page to configure the user store that references users in your organization. User stores

are LDAP directory servers to which end users authenticate. You can configure a user store to

use more than one replica of the directory server, to provide load balancing and failover

capability. You must reference an existing user store.

For more information about the options on this page and configuring the user store for load

balancing and failover, see “Configuring the User Store ” in the Novell Access Manager 3.0

SP4 Administration Guide.

Name: A display name for the LDAP directory.

Admin Name: The distinguished name of the admin user of the LDAP directory.

Administrator-level rights are required for setting up a user store.

Admin Password and Confirm Password: The password for the admin user and the

confirmation for the password.

Directory Type: The type of LDAP directory. You can specify eDirectory, Active Directory,

or Sun ONE.

If eDirectory has been configured to use Domain Services for Windows, eDirectory behaves

like Active Directory. When you configure such a directory to be a user store, its Directory

Type must be set to Active Directory for proper operation.

9 Under Server Replicas, click New to specify the user store replica information. It is

recommended that you specify an LDAP server that contains a read/write replica.

Name: The display name for the LDAP directory server.

IP Address: The IP address of the LDAP directory server. The port is set automatically to the

standard LDAP ports.

10 Click Use secure LDAP connections. You must enable SSL between the identity user store and

the Identity Server. The port changes to 636, the secure LDAP port.

11 Click Auto import trusted root.

Setting Up a Basic Access Manager Configuration 17

novdocx (en) 11 July 2008

12 Click OK to confirm the import.

13 Select one of the certificates in the list.

You are prompted to choose either a server certificate or a root CA certificate. To trust one

certificate, choose Server Certificate. Choose Root CA Certificate to trust any certificate signed

by that certificate authority.

14 Specify an alias, then click OK.

An alias is a name you use to identify the certificate used by Access Manager.

15 Click Close, then click OK.

16 Under Server Replicas, verify the Validation Status.

The system displays a green check mark if the connection is valid. If it is red, you have a

configuration error:

 Check the distinguished name of the admin user, the password, and the IP address of the

replica.

 Check for network communication problems between the Identity Server and the LDAP

server.

17 Add a search context. Click New, specify the DN of the context, select a scope, then click OK.

The search context is used to locate users in the directory. If a user exists outside of the

specified search context and its scope (object, subtree, one level), the Identity Server cannot

find the user, and the user cannot log in.

If the search context you specify finds more that one user with the same username, the Identity

Server cannot authenticate these users. A username must be unique within a search context.

This is required for Active Directory or Sun ONE; it is optional for eDirectory, but

recommended. If a search context is not specified for eDirectory, the entire tree is searched

from the root.

18 Click Finish to save the server configuration.

19 Restart Tomcat as prompted.

The Health status icons for the configuration and the Identity Server should turn green. It might

take several seconds for the Identity Server to start and for the system to display a green light.

If the health does not turn green, see “Monitoring the Health of an Identity Server” in the

Novell Access Manager 3.0 SP4 Administration Guide.

20 (Optional) Verify the configuration by entering the Base URL of the Identity Server as the

URL in a browser. Log in using the credentials of a user in the LDAP server.

18 Novell Access Manager 3.0 SP4 Setup Guide

novdocx (en) 11 July 2008

If the URL returns an error rather than displaying a login page, verify the following:

 The browser machine can resolve the DNS name of the Identity Server.

 The browser machine can access the port.

21 If you have already installed an Access Gateway, continue with one of the following:

 To use your own Web server pages, continue with Section 1.4, “Configuring the Access

Gateway,” on page 18.

 To use the Digital Airlines sample Web pages, continue with Chapter 7, “Digital Airlines

Example,” on page 99.

To install an Access Gateway, see “Installing the Linux Access Gateway” or “Installing the

NetWare Access Gateway” in the Novell Access Manager 3.0 SP4 Installation Guide.

1.4 Configuring the Access Gateway

The basic Access Gateway configuration procedures have been divided into the following tasks:

 Section 1.4.1, “Configuring a Reverse Proxy,” on page 18

 Section 1.4.2, “Configuring a Public Protected Resource,” on page 20

1.4.1 Configuring a Reverse Proxy

You protect your Web services by creating a reverse proxy. A reverse proxy acts as the front end to

your Web servers in your DMZ or on your intranet, and off-loads frequent requests, thereby freeing

up bandwidth and Web server connections. It also increases security because the IP addresses and

DNS names of your Web servers are hidden from the Internet. A reverse proxy can be configured to

protect one or more proxy services.

To create a reverse proxy, you must create at least one proxy service with a protected resource. You

must supply a name for each of these components. Reverse proxy names and proxy service names

must be unique to the Access Gateway because they are configured for global services such as IP

addresses and TCP ports. For example, if you have a reverse proxy named products and another

reverse proxy named library, only one of these reverse proxies can have a proxy service named

corporate.

Protected resource names need to be unique to the proxy service, but they don’t need to be unique to

the Access Gateway because they are always accessed through their proxy service. For example, if

you have a proxy service named account and a proxy service named sales, they both can have a

protected resource named public.

This first reverse proxy is used for authentication. You need to configure the proxy service to use the

DNS name of the Access Gateway as its Published DNS Name, and the Web server and the resource

on that Web server need to point to the page you want displayed to the users when they first access

your Web site. You can use Access Gateway configuration options to allow this first page to be a

public site with no authentication required until the users access the links on the page, or you can

require authentication on this first page. The following configuration steps have you first configure

the protected resource as a public resource, then you modify the configuration to require

authentication.

1 In the Administration Console, click Access Manager > Access Gateways > Edit > Reverse

Proxy / Authentication.

Setting Up a Basic Access Manager Configuration 19

novdocx (en) 11 July 2008

2 In the Identity Server Cluster option, select the configuration you have assigned to the Identity

Server.

This sets up the trust relationship between the Access Gateway and the Identity Server that is

used for authentication.

3 In the Reverse Proxy List, click New, specify a display name for the reverse proxy, then click

OK.

4 Enable a listening address.

Listening Address(es): A list of available IP addresses. If the server has only one IP address,

only one is displayed and it is automatically selected. If the server has multiple addresses, you

can select one or more IP addresses to enable. You must enable at least one address by

selecting its check box.

TCP Listen Options: Options for configuring how requests are handled. You cannot set up the

listening options until you create a proxy service.

5 Ignore the SSL configuration options.

This basic configuration does not set up SSL. For SSL information, see Chapter 3, “Enabling

SSL Communication,” on page 33.

20 Novell Access Manager 3.0 SP4 Setup Guide

novdocx (en) 11 July 2008

6 Configure a listening port.

Non-Secure Port: Select 80, which is the default port for HTTP.

Secure Port: This is the HTTPS listening port. This port is unused and cannot be configured

until you enable SSL.

7 In the Proxy Service List, click New.

8 Fill in the fields.

Proxy Service Name: A display name for the proxy service.

Published DNS Name: The DNS name you want the public to use to access your site. This

DNS name must resolve to the IP address you set up as the listening address. For the example

in Figure 1-2 on page 12, this name would be www.mytest.com.

Web Server IP Address: The IP address of your Web server. This is usually a Web server

with content that you want to share with authorized users and protect from all others. In Figure

1-2 on page 12, this is Server 4, whose IP address is 10.15.70.21.

Host Header: The name you want sent in the HTTP header to the Web server. This can be

either the Published DNS Name (the Forward Received Host Name option) or the DNS name

of the Web Server (the Web Server Host Name option).

Web Server Host Name: The DNS name that the Access Gateway should forward to the Web

server. This option is not available if you selected Forward Received Host Name for the Host

Header option. The name you use depends upon how you have set up the Web server. If your

Web server has been configured to verify that the host name in the header matches its name,

you need to specify that name here. In Figure 1-2 on page 12 the Web Server Host Name is

mywebserver.com.

9 Click OK.

10 Continue with Section 1.4.2, “Configuring a Public Protected Resource,” on page 20.

1.4.2 Configuring a Public Protected Resource

The first protected resource in this configuration tutorial is configured to be a public resource. For

information on how to set up authentication for a protected resource, see Section 1.5, “Configuring

the Access Gateway for Authentication,” on page 22.

1 In the Proxy Service List, click [Name of Proxy Service] > Protected Resources.

Page is loading ...

Novell Access Manager 3.0 SP4 Installation guide

Novell Access Manager 3.0 SP4 Installation guide

Related papers

Other documents